cvedb.io
CVE-2026-28674
HIGH · CVSS 7.2
EPSS exploitation probability: 0%
Published 2026-03-18T01:16:05.280 · Last modified 2026-06-17T10:28:52.560

Summary

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the `AdminPaymentPluginUpload` endpoint lets admins upload any file to `plugins/payment/`. It only checks a hardcoded password (`qweasd123456`) and ignores file content. A background watcher (`StartWatcher`) then scans this folder every 5 seconds. If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue.

Affected products

danvei233 — xiaoheifs

Does this affect you?

Add your gear to cvedb and we'll alert you only when danvei233 ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.